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Abstract —We consider a simple multiple access network 
(SMAN), where k sources of unit rates transmit their data to 
a common sink via n relays. Each relay is connected to the 
sink and to certain sources. A coding scheme (for the relays) is 
weakly secure if a passive adversary who eavesdrops on less than 
k relay-sink links cannot reconstruct the data from each source. 

We show that there exists a weakly secure maximum distance 
separable (MDS) coding scheme for the relays if and only if every 
subset of £ relays must be collectively connected to at least f + 1 
sources, for all 0 < ^ < fc. Moreover, we prove that this condition 
can be verified in polynomial time in n and k. Finally, given 
a SMAN satisfying the aforementioned condition, we provide 
another polynomial time algorithm to trim the network until it 
has a sparsest set of source-relay links that still supports a weakly 
secure MDS coding scheme. 

I. Introduction 

A simple multiple access network (SMAN) is a two-hop 
network, where some k independent sources transmit their 
data to a common sink via n relays. We use (n, fc)-SMAN 
to refer to such network. An example of a (6,4)-SMAN is 
illustrated in Fig. Simple multiple access networks were 
studied in the recent work of Yao et al. Ill (to model the 
problem of decentralized distribution of keys from a pool 
among the wireless nodes), Halbawi et al. a, and Dau et 
al. a, ii, 0 . The model of SMAN considered in a is 
more general in the sense that the sources are assumed to 
have arbitrary rates. However, it was shown in m, a that 
as far as the problem of constructing error-correcting codes 
for the relays is concerned, considering unit-rate sources is 
sufficient. Interestingly, the code design problem for SMAN 
was also shown in a, Q to be equivalent to the code design 
problem for weakly secure cooperative data exchange 0, a. 

Error correction for the general multiple access network was 
first investigated in the work of Dikaliotis et al. 0 . The coding 
schemes derived in a are packetized over large fields, which 
are of sizes at least exponential in the number of sources. 
While SMAN is a special case of multiple access network a, 
the authors of a, a, 0 focused more on designing error- 
correcting codes over small fields, whose sizes are linear in n 
and k. Various new problems on balance and sparsity of the 
network were also investigated in a, a. 

In this paper we study the security aspect of the cod¬ 
ing schemes used for the relays in an (n, fc)-SMAN. More 
specifically, we focus on the weak security of such coding 
schemes against a passive adversary, which eavesdrops on 
the relay-sink links. Suppose that each source transmits a 



Fig. 1: An example of a (6,4)-SMAN. Three relay-sink links 
(dashed) are eavesdropped. The question is: can we prevent the 
adversary from learning about each individual source packet? 

single packet, which is an element of some finite field F^, to 
the sink. All source packets are assumed to be independent 
and randomly distributed over Fg. The coding scheme for 
the relays is weakly secure if an adversary that eavesdrops 
on at most k — 1 relay-sink links gains no information (in 
Shannon’s sense) about each particular source packet. In the 
context of decentralized key distribution 0, a wireless node 
(corresponding to the sink in the SMAN) contacts its neighbors 
(corresponding to the relays in the SMAN) to retrieve k secret 
keys Si € Fg (1 < * < k). Each of its neighbors possesses 
some of these k keys and transmits one (coded) packet in 
Fq to that node. In that scenario, a weakly secure coding 
scheme for the corresponding SMAN would guarantee that 
an adversary that eavesdrops on at most k — 1 transmissions 
cannot determine explicitly any secret key. Note that Yao et 
al. a only considered an active adversary who can corrapt 
the transmissions. In this work, we assume the presence of 
both an active adversary and a passive adversary. Note that 
these two adversaries may be independent of each other. In 
other words, they may attack different sets of links. 

The concept of weak security was first discussed by Ya¬ 
mamoto a in the context of ramp secret sharing scheme. 
After Yamamoto 0, weak security was also discovered by 
Bhattad and Narayanan M in a more general context of 
network coding. Weak security is important in practice since 
it guarantees that no meaningful information is leaked to 
the adversary, and often requires no additional overhead. For 
example, suppose that the adversary obtains the coded packet 
xi + X 2 where xi and X 2 are packets from the sources si 
and S 2 , respectively. Then the adversary would not be able to 
determine either xi or X 2 , as from its point of view, both Xi 
and X 2 are completely random variables. 














In this work we limit ourselves to maximum distance sep¬ 
arable (MDS) coding schemes (see Section]^ for dehnition). 
Our main contributions are summarized below. 

• We establish a necessary and sufficient condition for the 
existence of a weakly secure MDS coding scheme for 
the relays. More specihcally, there exists a weakly secure 
MDS coding scheme for the relays if and only if every 
subset of i relays must be collectively connected to at 
least i + 1 sources, for all 0 < £ < fc. Moreover, this 
condition, referred to as the Weak Security Condition, can 
be verihed in polynomial time in n and k. 

• Given a SMAN satisfying the Weak Security Condition, 
we provide a polynomial time algorithm to trim the 
network by removing certain source-relay links until it 
has the sparsest set of source-relay links that still supports 
a weakly secure MDS coding scheme. This algorithm is 
similar to the algorithm used to hnd a maximum matching 
in a bipartite graph that deletes edges of the graph one 
by one until all remaining edges form a matching. 

• We also study the so-called block security, which is 
a generalization of weak security, and characterize the 
block security level of an arbitrary SMAN. 

The hrst conclusion above describes the additional requirement 
on the source-relay links if a passive adversary is also present. 
Indeed, an MDS code implemented at the relays allows the 
sink to tolerate a maximum number of [{n — k + 1)/2J 
corrupted relay/links. Such an MDS code exists if and only 
if the SMAN satishes the MDS Condition ||3l, ||4l, Q, ifTl : 
every subset of £ relays must be collectively connected to at 
least £ sources, for all £ < k. Comparing the MDS Condition 
and the Weak Security Condition, we conclude that more 
source-relay links are required to defend both an active and 
a passive adversary. Hence, a SMAN that survives the most 
powerful active adversary, which can corrupt [(n — k + l)/2\ 
relays/links, may not be weakly secure against a passive 
adversary. 

The paper is organized as follows. Necessary notation and 


dehnitions are provided in Section 
SMAN is discussed in Section UII 
security to block security is investigated in Section IIV 


^ The weak security for 
The extension of weak 


II. Preliminaries 

Let Fg denote the hnite held with q elements. Let [n] denote 
the set {1,2,..., n}. For a k x n matrix M, for i G [/c] and 
j G [n], let Mi and M[j] denote the row i and the column 
j of M, respectively. We dehne below standard notions from 
coding theory (for instance, see ini). 

The support of a vector u = (ui,...,it„) G F” is the 
set supp(tt) = {i G [n]: Ui ^ 0}. The (Hamming) distance 
between two vectors u and v of F^ is dehned to be d(M, v) = 
|{* G [n]: Ui ^ Ui}|. A fc-dimensional subspace ^ of F” is 
called a linear [n, k, d]q (error-correcting) code over F^ if the 
minimum distance d(^) between any pair of distinct vectors 
in is equal to d. Sometimes we may use the notation [n, k]q 
or just [n, k] for the sake of simplicity. The vectors in ^ are 
called codewords. A generator matrix G of an [n, k]q code 


^ is a fc X n matrix whose rows are linearly independent 
codewords of Then ^ = {xG: x G F^}. The well-known 
Singleton bound f lfTTl Ch. 1]) states that for any [n, fc, d]q code, 
it holds that d < n — k-\-l. If the equality is attained, the code 
is called maximum distance separable (MDS). 

Definition 1. An (n, k) simple multiple access network 
((n, fc)-SMAN for short) is a network that consists of 

• k independent sources Si,... ,Sk of unit rates, one sink, 
and n relays ri,..., r„, where n > k, and 

• some directed edges of capacity one that connect certain 
source-relay pairs and one directed edge of capacity one 
that connects each relay to the sink. 

An (n, fc)-SMAN can be represented by an adjacency 
matrix M = {rriij) G F^^" where rriij = 1 if and only 
if the source Si is connected to the relay rj. 

Let X = {Xi,..., Xk) be a vector of independent and 
identically uniformly distributed random variables over F^. We 
assume that the vector of source packets is x = {xi,... ,Xk), 
a realization of X. A linear coding scheme for an (n, k)- 
SMAN is represented by a fc x n matrix G = {gi,j) over 
F,j. The coding rule for the relays is as follows: Vj {j G [n]) 
creates and transmits the coded packet xG[j] to the sink. We 
refer to G as the encoding matrix of the coding scheme. Note 
that gij must be zero whenever rriij = 0. If G generates 
a linear code that can correct t errors then the sink can still 
determine all k source packets under the presence of at most 
t erroneous coded packets sent from some t relays. 

A coding scheme based on G is weakly secure if the 
conditional entropy 

H(X, I {XG[j]-.jGE})=H{X,), 

for every i G [fc] and for every subset 0 E C [n], \E\ < k. 
In words, a coding scheme is weakly secure if an adversary 
that eavesdrops on at most k — 1 coded packets transmitted on 
different relay-sink links obtains no information about each 
particular source packet. Note that we always assume that 
rankg(G) = k. Hence, obviously an adversary that eavesdrops 
on certain k linearly independent coded packets can always 
retrieve all k source packets. 

HI. Weak Security for SMAN 
A. Necessary and Sujficient Condition for Weak Security 

We first derive a necessary and sufficient condition on the 
links between sources and relays for a SMAN to support a 
weakly secure MDS coding scheme. 

Theorem 1. An {n, k)-SMAN supports a weakly secure MDS 
coding scheme, i.e. there exists a weakly secure MDS coding 
scheme for the relays over some finite field F^, if and only 
if every subset of £ relays must be collectively connected to 
at least £ -f 1 sources, for all 0 < £ < k. In other words, it 
requires that 

I UjgjSupp(M[j])| > |J| -f 1, V0 ^ J C [n], |J| < k, (1) 

where M\j] is the jth column of the adjacency matrix M. 
We refer to 0 as the Weak Security Condition for SMAN. 




We need a few lemmas for the proof of Theorem 

Lemma 1 llfTH'). The kxn matrix G is a generator matrix of 
an [n, k, d]q error-correcting code if and only if every n—d-\-l 
columns of G has rank k. 

Lemma 2. A coding scheme based on the matrix G for an 
{n, k)-SMAN is weakly secure if and only if every k — \ 
columns of G generates an error-correcting code of minimum 
distance at least two. 

Proof: This is a corollary of lfT3l Lemma 3]. More details 
can be found in Appendix [A] ■ 

Lemma 3. If the £x k matrix A generates a d > 2]^ 
error-correcting code then 

I Ujgj supp(Aj)| > |J| + 1, V0 ^ J C [f], (2) 

Proof: Suppose that A generates a code of minimum 
distance at least two but is violated. Then there exists 
0 ^ J C [£] such that 

I UjGj supp(Aj)| < |J|. (3) 

We aim to obtain a contradiction. 

Let / C [A:] \ UjgjSupp(A_,) such that |/| = k — |J|. 
Moreover, let L C [k] such that L I and \L\ = k — 1. 
Let A[L] be the I x {k — 1) submatrix of A that consists of 
columns of A indexed by the elements in L. Then according 
to Lemma [T] we have 

rankg(A[L]) = £. (4) 

On the other hand, we claim that the | J| rows of A[L] indexed 
by the elements in J has rank at most | J| —1. As the remaining 
f — |J| rows of A[L] has rank at most i—\J\, we deduce that 

rank,(A[L]) < (| J| - 1) + (f - | J|) < t (5) 

From Q and (|^ we obtain a contradiction. 

We now prove that our aforementioned claim is correct. 
Consider the submatrix Aj\L] that consists of rows of A[L] 
indexed by the elements of J. Due to ([^ and our assumption 
that L 0 /, the submatrix Aj\L\ has at least k — \ J\ all¬ 
zero columns. Since \L\ = k — 1, Aj\L] has k — 1 columns. 
Therefore, it has at most |J| — 1 nonzero columns. Hence, 
rankg(Aj[L]) < | J| — 1, as claimed. ■ 

Remark 1. The result in Lemmacan be extended to d> d' 
for any d' > 1 by replacing | J| -f 1 with | J| -f d' — 1 in (j^. 

Lemma 4. Let P be a {k — 1) x k 0-1 matrix. Let var(P) 
be the matrix obtained from P by replacing every nonzero 
entry of P by some indeterminate over F^. Suppose that 
all of these indeterminates are independent. Let /(var(i-’)) = 
IIq det((5), where the product is taken over all k submatrices 
Q of order k — 1 of var(P). Then /(var(P)), which is a 
multivariable polynomial in Fg[- • • , • ■ ■ ], is not identically 

zero if and only if 

I Ujgj supp(Pj)| > |J| -f 1, V0 J C [/c - 1]. (6) 

Proof: The proof follows from 12 Lemma 2-4]. More 
details can be found in Appendix ■ 


We are now in position to prove Theorem [T] 

Proof of Theorem 

Only-If. Suppose that there exists a weakly secure MDS cod¬ 
ing scheme for an (n, fc)-SMAN described by the adjacency 
matrix M. We aim to prove that the Weak Security Condition 
0 holds. Let G be the encoding matrix of the weakly secure 
MDS coding scheme. Note that as G generates an MDS 
code, every subset of A; — 1 columns of G is always linearly 
independent ifTTl Ch. 11]. Hence, by Lemma |2 every set of 
k—1 columns of G must generate a [A;, A;—1, 2] error-correcting 
code. Note here that supp(G[j]) C supp(Af[j]) for all j G [nj. 
Hence, by applying Lemma to all (A: — 1) x A: matrices 
corresponding to all subsets of A; — 1 columns of G, it is 
straightforward that the Weak Security Condition holds. 

If. We assume that the Weak Security Condition holds, i.e. 

|UjgjSupp(M[j])| > |J|-f 1, V0^Jc[n], |J|<A:-1. 

We aim to show that there exists a weakly secure MDS coding 
scheme for the corresponding (n, A:)-SMAN. 

Using the same notation as in Lemma let var(7\d’) = 
(uij ) where Vij = 0 if rriij = 0 and Vij = if rriij f 0. 
Here ^ij ’s are independent indeterminates. For each submatrix 
P' of size k X (k — 1) of M, let P be its transpose and 
var(P) the corresponding (transposed) submatrix of \/ar{M). 
We henceforth refer to such a matrix P as a transposed 
submatrix of M. Note that the Weak Security Condition Q on 
M implies the condition 0 on every transposed submatrix P 
of size (A;— 1) X A: of M. Hence, by Lemmaj^ the polynomial 
/(var(P)) is not identically zero. Let 

P(var(M)) = n /(var(P)) G FJ- • • 6., • • • ], 

p 

where the product is taken over all transposed submatrices P 
of size (A: — 1) X A; of M. Then P(var(7Vi’)) ^ 0. 

It is obvious that the Weak Security Condition 0 implies 
the MDS Condition ID, Q, 171, which requires that every 
subset of I relays must be collectively connected to at least 
I sources, for all i < k. Hence, if f{\iat{M)) is the product 
of determinants of all submatrices of order k of var(AT) then 
/(var(iVf)) ^ 0, according to 0 Lemma 2-4]. Therefore 

P“‘(var(M)) = /(var(M)) x P(var(M)) ^ 0. 

Hence, according to Dl Lemma 4], for sufficiently large q, 
there exists g^ j G F^ (for {i,j) where rriij = 1) such that 

P“‘(var(M))(... , 5 ,^0. 

As a consequence, 

/(var(P))(--- 7^0, (7) 

for every transposed submatrix P of size (A:— 1) x A: of M. Let 
G = {gij) (if rriij = 0 we set gij = 0). Then thanks to 0, 
every transposed submatrix A of size (A:— 1) x A: of G satisfies 
the following property; all submatrices of order A; — 1 of A are 
invertible. Hence, according to HU Ch. 11], every set of A; — 1 
columns of G generates an MDS [A;, A: — 1, 2]^ error-correcting 
code. Thus, by Lemma the coding scheme based on G is 


weakly secure. Moreover, as /(var(7V4’))(-• • 7 ^ 0 

as well, it follows that every submatrix of order k of G is 
invertible. Thus, G also generates an MDS code. ■ 

Remark 2. Theorem [T] shows what the additional cost is 
(in terms of source-relay links) when a passive adversary is 
also present, on top of an active adversary. More specifically, 
while defending against an active adversary requires that every 
subset of £ relays must be collectively connected to at least 
£ sources, for all £ < k, defending against both adversaries 
requires that every subset of £ relays must be collectively 
connected to at least £ + 1 sources, for all 0 < f < /c. 


B. Verification of Weak Security Condition in Polynomial Time 
While designing a weakly secure MDS coding scheme for 
a given (n, A:)-SMAN may require non-polynomial time (as 
random coding over finite fields with exponentially large sizes 
is used), verifying whether a SMAN supports a weakly secure 
MDS coding scheme can be done in polynomial time. We 
prove this fact below using a proper modification of the proof 
of ||5] Lemma 10]. We first present a simple lemma. Its proof 
is similar to the proof of |[3 Lemma 4] and can be found in 
Appendix [C| 

Lemma 5. The Weak Security Condition 0 is equivalent to 
the following: 


I Uig/ supp(Mi)| > n — fc -f |/| -I- 1, V 0 I C [A:]. ( 8 ) 


Proposition 1. The Weak Security Condition 0 can be 
verified in polynomial time in n and k. 

Proof: By Lemma it suffices to prove that ([^ can be 
verified in polynomial time for all 0 7 ^ / C [fc] \ {io}^ for 
every iq G [fcj. Without loss of generality, let ig = k. The 
other cases can be proved in the same manner. We associate 
with M a network Af^(iVf) constructed as follows. The set 
of nodes of N^{M) consists of 

• a source node s, 

• n packet nodes si,..., s„, 

• fc — 1 coding nodes ri,..., r^-i, 

• k — 1 broadcast nodes 61 ,..., bk-i, 

• fc — 1 sink nodes ti,... 

To simplify the notation, set Ri = supp(Afi). The set of 
directed edges of consists of 

• one edge of capacity one from s to Si, Vi € [n], 

• one edge of capacity infinity from sj to if j G Ri, 

• one edge of capacity one from to bi, Vi € [k — 1], 

• one edge of capacity infinity from to f, Vi £ [A: — 1], 

• one edge of capacity infinity from bi to tj, Vi,j G [fc-lj. 

For instance, for the ( 6 ,4)-SMAN in Fig. the corresponding 
adjacency matrix is 


(1 1 1 
1 0 0 
0 1 0 
\0 0 1 


0 0 0 \ 

1 1 0 
10 1 ’ 
0 11 / 


(9) 


and the corresponding network is depicted in Fig. 



Fig. 2: The network associated to M in 0 when 

io = A: = 4. 


A cut {S, T) of a network is a partition of the set of nodes 
of that network into two parts, namely S and T. We are only 
interested in cuts that separate the source and some sink, i.e. 

S contains the source and T contains some sink. Let c(u, v) 
denote the capacity of an edge (it, v) in a network. Then the 
capacity of a cut (S', T) is defined as 

c{S,T) = ^ c{u,v). 

ueS,veT 

Consider the following Min-Cut Condition for the 

capacity of every cut that separates s and any sink is at least 
n. According to the Network Flow Algorithm (Ford-Fulkerson 
Algorithm), we can verify the Min-Cut Condition for {M) 
in polynomial time. Therefore, it suffices for our purpose to 
show that the condition 0 restricted to those / C [A: — 1] (for 
M) is equivalent to the Min-Cut Condition (for 

Suppose that the Min-Cut Condition fox holds. We 

aim to prove that 0 restricted to those / C [A: — 1] also holds 
for M. Let I be an arbitrary nonempty subset of [A: — 1]. 
Recall that we use Ri to denote supp(ATi). Consider a cut 
(S', T) where 

T = {f: i G 1} U {bi'. 1 < i < k — 1} U {ri'. i G 1} 

U |sj : j G Uig/i?i}. 

Then the capacity of (S, T) is 

c(S,r)= ^ c{s,Sj)-{-'^c{r^,bi) = \Ui^iRi\-\-k-l-\I\. 

jeUi^iRi 

As c(S, T) > n, we have 

I Uig/ Ri\ > n — k \I\ 1. 

Conversely, suppose that 0 restricted to those / C [A: — 1] 
holds. We need to prove that c(S, T) > n for every cut (S, T) 
that separates s and some sink. Suppose that {ti}ig/' C T, 
where 0 f I' C [A: — 1], and that ti ^ T if i ^ I'. If c(S, T) = 

00 then it is larger than n trivially. Now suppose that c(S, T) < 
00 . Then (S, T) does not contain any edge of the form {sj,ri), 
{rifii), or ibjfii), as these have capacity infinity. Hence, T 
must contain the following nodes 

• ti for all i G because of our definition of (S, T), 

• bj for all j G [A: — 1], as cibjfif) = 00 for every j and i, 

• Ti for all i G I', as c{ri,ti) = 00 for every i, 


















Let I be the subset of [k — 1] that satisfies 
T n = {ri}i(zi. 

Then /' C I. Since c{sj,ri) = oo when j G Ri, the set T 
must also contains the packet nodes Sj if j G Ri for some 
i G I. Therefore, 

c{S,T)> c(s,Sj)+^c(r„6,) 

i^I 

= I Uig/ Ri\ + k — 1 — \I\ 

> {n — k + \I\ + 1) + k — 1 — \I\ = n. 

We complete the proof. ■ 

C. Trimming SMAN While Preserving Weak Security in Poly¬ 
nomial Time 

Given an (n, fc)-SMAN that satisfies the Weak Security 
Condition ([T]i, Theorem [^states that one can trim the network 
to obtain a sparsest possible network where the Weak Security 
Condition is still satisfied. Moreover, the trimming process can 
be done in polynomial time in n and k. We prove this theorem 
in Appendix [D| Note that we use here the equivalent statement 
of the Weak Security Condition stated in Lemma 

Theorem 2. For each i G [A:] let Ri be an arbitrary subset of 
[n] (n > k). Suppose that 

\U,^i R,\>n-k+\I\ + l, V 0 ^/C[A:]. (10) 

Then for every i G [fc] there exists a subset i?' C Ri such that 

• I Dig/ R'f\ n — /c + |/| + 1, V 0 ^ / C [fc], 

• ji?'| = n — fc + 2, for all i G [/c]. 

Moreover, such subsets R[ can be found in polynomial time. 

IV. Extension to block security 

In this section we extend our result on weak security to 
a more general concept of block security (or security against 
guessing in some other works in the network coding literature). 

The coding scheme for an (n, fc)-SMAN based on a fc x n 
encoding matrix G is bi-block secure against a passive adver¬ 
sary of strength £ {£ < k) if the conditional entropy 

H{{X, :jGB}\ {XG[j] : j G E}) = H({X, : j G B}), 

for every subset B C [fc], \B\ < bn, and for every subset 
E C [n], \E\ < £. In words, a coding scheme is 6 ^-block 
secure against an adversary of strength £ if an adversary 
that eavesdrops on at most £ relay-sink packets obtains no 
information about each subset of at most bn source packets. 
In that case, even if the adversary can guess correctly some 
bn — \ source packets, it still gains no information about any 
other packet. 

Theorem 3. An (n, k)-SMAN supports an MDS coding 
scheme that is bn-block secure against an adversary of strength 
£ if and only if 

|Ujgjsupp(M[j])| > \J\+bn, J C [n], |J| < £, (11) 

where M[j] denotes the jth column of the adjacency matrix 
M. Note that in the right-hand side of 0’ the first term |J| 


corresponds to the MDS Condition, while the second term bn 
corresponds to the block security level. 


Theorem [^characterizes the block security level of an MDS 
coding scheme for SMAN based on the density of the source- 
relay links. In a special case where the SMAN is densest, i.e. 
each source is connected to all relays, then according to Il5l,a 
Cauchy matrix would provide the best level of block security, 
which is be = k — £. The proof of Theorem follows the 
same idea of that of Theorem [T] using a generalized version 
of Lemma (see Remark [^l. We omit the proof. 

While the Weak Security Condition can be verified in 
polynomial time, it is not known whether a similar conclusion 
holds for block security. More specificall y, g iven an (n, k)- 
SMAN and a sequence {be}\~^, whether (111 can be verified 
in polynomial time is still an open question. 
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Appendix 

A. Proof of Lemma 

This lemma is a corollary of 1(131 Lemma 3]. We refer the 
reader to ini and its extended version for a detailed and 
rigorous proof. Nevertheless, we provide here an informal 
proof that may illustrate better the intuition behind this lemma. 
Below we refer to the number of nonzero coordinates of a 
vector as its (Hamming) weight. It is well known in coding 
theory that the minimum Hamming weight of a nonzero 
codeword of any linear error-correcting code is equal to its 
minimum distance. 

Suppose that every k — 1 columns of the coding matrix 
G generates an error correcting codes of minimum distance 
d>2. Suppose that a passive adversary obtains xG[E], where 
G[E] is the k x {k — 1) submatrix of G formed by columns 
indexed by E, for some E C [n], \E\ = k — 1. Hence, it can 
linearly transform these k — 1 coded symbols by considering 
the product 

xGlEjcf = x(a.G[E'ff = a;c‘, 

where a G Fg~^ is some coefficient vector, the superscript “t” 
denotes the transpose, and c = aG[E]\ Since the columns 
of G[E] generates an error-correcting codes of minimum 
distance at least two, c, if nonzero, has weight at least two. 
In other words, if c / 0 then it has at least two nonzero 
coordinates. As a result, xE is a linear combination of at 
least two source packets. Therefore, by linearly transforming 
the eavesdropped coded symbols xG[E], the adversary cannot 
determine explicitly each source packet. As the source packets 
are independent and uniformly randomly distributed over F^, 
this is equivalent to saying that the conditional entropy of each 
source packet remains the same given the knowledge of fc — 1 
coded packets. Hence, the coding scheme is weakly secure. 

Conversely, if for some subset E C [n], \E\ = k — 1, the 
columns of G[E] generate a linear error-correcting code of 
minimum distance one, then there exists a G such that 
c = Q;G[i?]‘ has weight one. Suppose that Ci f 0 and cj = 0 
if j f i. Then by post-multiplying xG[E] by a\ the adversary 
obtains the source packet Xi explicitly. Hence, in this case the 
coding scheme is not weakly secure. 

B. Proof of Lemma 

This lemma is a corollary of 0 Lemma 2-4]. Indeed, let 
M be a fc X n binary matrix. Then ||3] Lemma 2-4] conclude 
that /(var(M)) ^ 0 if and only if 

I Uie/ supp(Mi)| >n-k + |/|, \/0 f I C [k]. 

Applying this conclusion to the (fc — 1) x fc matrix P in 
Lemma 1^ the proof follows. 

C. Proof of Lemma 

Suppose that ([T]) does not hold, i.e. there exists 0 f J C 
[n], 1^1 < fc — 1 , such that 

I supp(M[j])| < |J|. (12) 


We aim to show that © does not hold either. Indeed, from 
(12i, let/ C [fc]\Ujgjsupp(A/[j]) such that |/| =fc—|J|. Be¬ 
cause 1 < I J| < fc—1, we deduce that 0 ^ / C [fc]. Moreover, 
due to ( 121 and our assumption that I C [fc]\Ujgjsupp(M[j]), 
we conclude that 


I Ujg/ supp(Mi)| <n-|J|=n-fc-|- |/|. 

Hence, (HJ is violated. 

Conversely, we need to show that if (j^ does not hold then 
neither does Q. The proof is completely similar and therefore 
is omitted. 


D. Proof of Theorem 


We can prove this theorem by modifying the proof of ||4] 
Theorem 2] accordingly. Both proofs follow the same idea of 
a well-known proof of Hall’s marriage theorem: repeatedly 
removing the edges of the bipartite graph until the graph 
becomes sparsest yet still satisfies the Hall’s condition. To 
simplify the notation, for a set / C [fc] we use Rj to denote 


the union 

Suppose that the sets Ri satisfy We keep removing the 
elements of these sets while maintaining the Weak Security 
Condition (lOi. Assume that at some point, the removal of 
any element in any set Ri would make them violate ( [T 0 ) l. We 
prove that now the sets Ri have cardinality precisely n—k-\-2, 
which concludes the first part of the theorem. 

Suppose, for contradiction, that there exists r G [fc] such 
that |/?r| > n — fc -f 3. Take a and b in Rr, a f b. For all 
i G [fc], let 


TDa 

R\ 


Ri \ {a}, 

if i = r, 

(13) 

Ri, 

otherwise. 

R^ \ {&}, 

if i = r, 

(14) 

Rz, 

otherwise. 


According to our assumption, both of the two collections of 
sets {/?“}iG[fc] and {Ri}i(=[k] violate (lOi. Therefore, there 
exist two nonempty subsets A C [fc] and~o C [fc], r f: AU B, 
such that 



\RAU{r} 

< n — k + 

1^1 

-f 

2 , 


(15) 


\RBU{r} 

< n — k + 

\B\ 

-f 

2 . 


(16) 

Since r ^ A, by ([T3]l we 

have 







> \Ra\ = 

= \Ra\ > n 

-fc 

-f 

1^1 

+ 1. 

(17) 

Similarly, since 

r ^ B, by (14i we have 





\RBU{r}\ 

> \Rb\ = 

= \Rb\ > n 

-fc 

-f 

\B 

+ 1. 

(18) 

From (fTSjl and 

([TtIi we deduce that 







= \Ra\ = 

= \Ra \ = n 

-fc 

-f 

1^1 

+ 1. 

(19) 

Similarly, from 

([T6|) and 

([TSll we have 





^SU{r} 


= \Rb\ = n 

- fc 

-f 

\B 

-f 1. 

( 20 ) 







Therefore, 


^°Au{r} ^BU{r} “ H Rb- 


( 21 ) 


Moreover, as a G R^Bu{r} ^ ^ ^Au{r}’ deduce that 


^AU{r} ^BU{r} ” ^AUBU{r} ■ 


( 22 ) 


r}l 


we can either remove a or 6 while still maintaining the Weak 
Security Condition. Note that by Proposition the Weak 
Security Condition can be verified in polynomial time in k and 
n. Therefore, this algorithm terminates in polynomial time in 
k and n and produces subsets R^’s of the original sets Ri’s 
that satisfy the stated requirement in the theorem. Note that 


(23) 


From ( [T9l l and ( |20l l we have 

2 (n — fc) + |A| + \B\ + 2 

= l-^AU{r}l + l-^BU{r}l 

= \^AU{r} U RBU{r} \ + \^AU{r} 

= + \Ra n Rb\, 

where the last transition is due to and ( |22| ). We further 
evaluate the two terms of the last sum in ( |2T| l as follows. The 
first term 

\RAvjBvj{r} I — fc+|AUi?U{r}| + l 
= n — k + \ AVJ B\ ~\- 2. 

The second term 


by setting I = {i}, the Weak Security Condition (101 implies 


that |i?'| > n — k + 2. Hence, those i?'’s form a sparsest 
(n, fc)-SMAN that still supports a weakly secure MDS coding 
scheme. 


(24) 


\Ra(^ Rb\ > n - k + {An B\ + 1, 


(25) 


which can be explained below. 

• If An B ^ 0, then by applying ( [T0| to An i? we obtain 

\Ra C i?i} I ^ \RAnB I — k \ A n B\ 1. 

• If A n i? = 0, then n— A:+|Ani?| + l = n — k + 1. 
We have 


RauM = -Ra U U {Rr \ {a}). 


(26) 


By (19 1 , R'Xu{r} ~ Ra- Combining this with (26 1 we 
deduce that 

Rr \ {a} C Ra. (27) 


Similarly, 


Rr \ {b} C Rg. 


(28) 


From ( |27] ) and ( |28| l we have 

{Ra^RbI > ('ll > (n —fc + 3) —2 = n —fc + 1, 


which proves that ( [25] l is correct when AO B = 0. 
Finally, from ( |2^ , ( |24) i, and ( [25] ) we deduce that 

2(n — fc) + |A| + |i7| + 2 

> {n - k + \AU B\ + 2) + {n - k + \Ar\ B\ + 1) 
= 2(71 — k) |A| + |i?| + 3, 


which produces a contradiction. 

The proof of the first part of this theorem also provides 
a polynomial time algorithm to find subsets of i?i’s that all 
have cardinality n — k + 2 yet still maintain the Weak Security 
Condition Indeed, we keep removing the elements of 
the subsets Ri in the following way. If there exists r G [k] 
such that |i?r| > n — k + 3, then as we just prove, for 
a,b G Rr, it is impossible that removing a or 6 from Rr 
both render the Weak Security Condition violated. Therefore, 





